Aleksander W. Jarosz
May 9, 2023

Creative Ransomware Extortion; Further Malware Capabilities With ChatGPT

Blog

tap 8 - 2023

The Blackcat-Western Digital Ransomware Cyberattack Serves a Good Example of How Extortion Techniques Will Change Risk And Impact For Targeted Victims

Threat actors were able to tap into webcams of employees at Western Digital meetings and threatened to release the media they captured. No further indication was given of what the stolen media possibly shows. The point demonstrated in the latest evolution of ransomware syndicates is an increased focus now to extort victims via new creative means that don’t involve any data recovery.

With techniques similar to the Western Digital-Blackcat cyberattack, threat actors are increasingly leveraging victim data in new ways to damage personal or group reputations. This more personal technique will be further explored by new and current major ransomware syndicates, like Blackcat, in new creative ways to maximize pressure on organizations to pay. (1) This technique is likely to see significant adoption among ransomware syndicates because it shifts the risk calculation to victims beyond simply time and money.

The downside of this development for security professionals is that the evolving cyberattacks may become more difficult to predict once the threat actor breaches the network. Security professionals are accustomed to modeling ransomware by focusing on high-value intellectual property as it relates to vital proprietary data. Threat actors may less often seek out high-value companies, and may now instead shift to targeting vulnerable or risk-averse individuals. IT security will not likely be able to anticipate new creative use cases for data -that ransomware syndicates are now hunting- which were not previously considered.

ChatGPT Remains a Limited Opportunity For Threat Actors, But Functionality Will Almost Certainly Expand Over The Next Year  

At RSA 2023, SANS highlighted ChatGPT as an important increasing risk. ChatGPT could possibly be used to create malware. (2) Large Language Model applications will almost certainly continue to experience iterations in malware development very likely lowering the bar further for entry-level threat actors to execute advanced cyberattacks.

One latest development noted by EclecticIQ analysts includes a researcher that was able to manipulate ChatGPT into assembling malicious code designed to exfiltrate data from PDF and DOCX files and using stenography to encode and deliver the payload. (3) The resulting malware was of low quality and was detected by at least five AV vendors upon initial tests, but functioned per the researcher’s design. 

This latest proof of concept provides stronger evidence of how malicious functionality of ChatGPT might be leveraged by users in the future. Researchers and threat actors will very likely continue to iterate experiments that provide new malicious functionality using large-language-model based applications. Malicious functionality, as it exists currently and continues into the short-term future, will remain highly modular. Because of this, malicious functions are likely to remain low-key and underappreciated because the PoCs thus far fail to create much real impact. The question of whether ChatGPT can be used to write malware, will be answered when users learn how to stitch these modular functions together to do more than complete one stage of a cyber Kill-Chain. ChatGPT has demonstrated use completing one phase of the Kill-Chain. Over the next year, threat actors will likely be able to carry out entire Kill-Chains with the help of ChatGPT, and that point will have many impacts on cybersecurity.

Structured Data

Find the Analyst Prompt and earlier editions in our public TAXII collection for easy use in your security stack: TAXII v1 Discovery services.

Please refer to our support page for guidance on how to access the feeds.

About EclecticIQ Intelligence and Research

EclecticIQ is a global provider of threat intelligence, hunting and response technology and services. Headquartered in Amsterdam, the EclecticIQ Intelligence and Research team is made up of experts from Europe and the U.S. with decades of experience in cyber security and intelligence in industry and government.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com or fill in the EclecticIQ Audience Interest Survey to drive our research toward your priority area.

You might also be interested in:

Polish Healthcare Industry Targeted by Vidar Infostealer Likely Linked to Djvu Ransomware

3CX Incident Attributed to North Korea; New LockBit MacOS Sample

Exposed Web Panel Reveals Gamaredon Group's Automated Spear Phishing Campaigns

Appendix

[1] DarkReading, “BlackCat Trolls Western Digital With Leaked Response Meeting Image,” May. 01, 2023. https://www.darkreading.com/remote-workforce/ransomware-group-trolls-western-digital-threat-hunters-/ (accessed May 1, 2023).

[2] DarkReading “SANS Reveals Top 5 Most Dangerous Cyberattacks for 2023,” Apr. 27, 2023. https://www.darkreading.com/attacks-breaches/sans-lists-top-5-most-dangerous-cyberattacks-in-2023 (accessed May 1, 2023). 

[3] Forcepoint, “I built a Zero Day virus with undetectable exfiltration using only ChatGPT prompts,” Apr. 04, 2023. https://www.forcepoint.com/blog/x-labs/zero-day-exfiltration-using-chatgpt-prompts (accessed May 1, 2023). 


 

Talk to one of our experts

Protect your organization with cutting-edge threat intelligence. Book your free demo today and explore how our products and services can help you meet your security needs.
Book a call
cta-footer
Book a demo